Archive for the ‘General Tips’ Category

Microsoft have finally allowed us to create – on the fly – our own .iso images of Windows 8.1. This is great news since as long as you have a valid windows 8/8.1 key you can get a full version of 8.1 in whatever combination you need (32 bit OR 64 bit, US OR UK OR any other language, Home OR Pro) and create it whenever you need it. Makes life easy for when you lose your disk (or you get a system with no media provided!).

This message has recently been coming up with web sites that talk to PayPal for processing of funds. But what is it from and how to fix it ?

There has been a recent flaw found in the SSLv3 protocol, which is how some SSL (secure) certificates talk to each other across the net, esentially allowing third parties to capture the traffic and read it (thus making the encryption useless). This fault has been called POODLE(Padding Oracle On Downgraded Legacy Encryption). And it spells the end to SSLv3 as an option. TLS is now the preferred way to have SSL talk to across the net.

Looking at some of our Apache web servers, SSLv2 is off by default. So how do we make SSLv3 not be an option as well ? Its just a matter of editing the ssl.conf file (normally in /etc/httpd/conf.d folder). Look for the following line (the - removes the option, + enables the option):

SSLProtocol-SSLv2

and simply add in SSLv3

SSLProtocol -SSLv2 -SSLv3

or an even more secure way is to block all methods, and just select the ones you DO want:SSLProtocol-All +TLSv1 +TLSv1.1 +TLSv1.2

Then just do a restart of the httpd service and it should be job done. To test your website for being safe from POODLE/SSLv3 use this page

On our facebook page (facebook.com/ezylinkit) I recently posted on the Telstra and Microsoft scam that continues unabated – where people get a random call from someone pretending to be from Microsoft (or Telstra as has also been the case here in AU) and they get the user to give them remote access into their PC, at which point they open up some logs and prove that there is an issue (with bogus claims over what is in the logs). From there they install a pile of junk software, including often remote access and keylogging software, charge the customer AND also take money from their accounts. All very insidious.
We had a recent customer repair that had a new item they had thrown in. The dodgy brothers had setup a Windows Startup Password on the PC, so when it was rebooted it came up asking for a boot password to get into windows – which comes up BEFORE the normal windows login.So I did some hunting on the net, and there was many comments about doing a restore of your registry, or going back to a last good system state, or recovering the last backed up registry. Yes these would all work – but we are dealing with morons here! So how about try some stupidly simple passwords first. password, admin, loser (ok thats one is not likely), abc, 12345, 1234, 123… BINGO it was 123. Yes they are that sad. I found some other reports on the web about some people who guessed numbers and so it seems that this is what they do. And since they have to change shifts between morons for the 24/7 scam Im sure they need to keep it simple.
So what is the “Startup Password” ? In simple terms it is a way to protect your registry account file so that it cant be hacked. It is a not often used feature so I thought Id list how it is used (and how to remove the password – since now that I was in to windows the customer of course doesn’t want to see that every boot !)
From within windows you access the Startup Password feature via “syskey”. Just run that from any command prompt or run box. Its actually called the SAM Lock Tool. When you run it you can encrypt your SAM (part of the registry), and set a password to it. So lets get in and reverse the damage ! Note you cant unencrypt the SAM, but you can remove the password requirement on boot.
Step1. Click Update within syskey

Step2. Click OK. This will then ask you for the old password (123 in my case) and a new one (leave it blank)
Step3. Reboot the computer. At the Windows Startup Password screen, just hit enter to get past it. Then back in windows run syskey again, go to Update, then click on the bottom option for System Generated Password
Choose Store “Startup Key Locally” then choose OK. This will then save the (blank) password to the system, and no longer show up a password box on boot. Tick one for the good guys. Now to just meet one of these scammers in a dark alley with a baseball bat…

As of Windows 8 Microsoft has asked vendors to start putting the Windows key in the BIOS. This make it easy for the vendor to preload windows and the cuistomer not to have to activate. BUT what happens (as is the case we see) when your hard drive dies, and you have no backup discs ? Since the computer vendors dont supply CDs/DVDs anymore – you have an issue. Well you did !

To complete this process you will need a copy of Windows 8/8.1 (that is the same version you had on the computer), and a valid key that works with that version. Note you will be changing the key over to the correct one at the end of the process.

So step1 is to load windows, and use the valid key you have to install. If its an unused key make sure you dont connect to the internet after installing as it may auto-activate windows and use that key! Then step2- once windows is setup you need to then get the BIOS windows key – and thats where the great program called pkeyui comes in handy – which will allow you to read BOTH the installed key and the BIOS key. So run that, get your BIOS key, then run the following command to be able to change the Windows 8 key (do it at an elevated command prompt) -

Heres a support case which took some tracking down to resolve. A customer called saying that they were getting a warning about their browser being out of date, and a lot of ‘page cant be displayed’ errors. So we got their 2 machines in the office, updated the web browsers, cleaned off some junk software and things that could be causing issues, tested and the systems were fine. The customer then returned home.
We then got a follow up call to say they were still getting the warning – but it was about Flash Player being out of date. First point when I started to think something else is going on – as it left us working fine !
I decided to go onsite and see it myself. At the customers place it was as they said – and when I tried to go to any search page (eg www.google.com) it would try to download a setup.exe file FROM the page it was going to eg. http://www.google.com/setup.exe (or bing.com – same thing). And the AV on the machine would block the page as being malicious. I have seen many browser hijacks but never one that is able to keep the domain name at the start (they always redirect to dodgybros.com and then try to get you to download the virus). So did their system have a rootkit we had missed ? Or was something hacked at their ISP ? I needed another look.
Back at the office – the system worked perfectly. We even had a look at the setup.exe file that was in the AV quaratine and it was a Password Stealer/Keylogger. But it had been blocked so the system wasn’t infected. Only answer that made sense – it was an issue at the customers location somehow. And during this time we had another customer contact us with the same issue – so we needed to find out what was going on and how to resolve.
I took my notebook as well back to the customers place to have a clean machine and test. Plugged their systems in and now they were just getting ‘ page can’t be displayed’ to most requests. I had a suspicion that something was going on with DNS as I could not see how else the www.google.com/setup.exe hijack was happening. So I decided to have a look at the IP config of the PC. here is what it showed -

On that screen I noticed something very wrong. Any normal home modem will hand out the DNS Server address as itself. So 192.168.1.1. What were these other 2 DNS – 23.253.94.129 and 128.199.225.64 in place of what should have been there ? Now the trail to the issue was becoming clear. On my notebook I set the DNS to use google (8.8.8.8/8.8.4.4) and things worked perfectly. So I did a quick search and found that those DNS addresses were know compromised or hacker DNS servers. FOUND IT !As a quick explanation – a DNS server changes the address you type in your web browser (eg www.google.com) into an IP address that allows the request to travel across the internet to the correct machine (eg the google web server), since the internet is linked via IP addresses NOT names. Normally you would use your ISPs DNS server (which you modem does for you automatically in the background). BUT if you are using compromised DNS servers, they can send you anywhere. And in this case they are sending customer requests for search engines to infected websites. The reason why we were getting ‘page can’t be displayed’ messages now was that those servers had been shutdown (probably by the hosts who manages them once they found out).So now its time to fix the issue. I attempted to log in to the modem so I could fix the config that I assumed had been changed by the hackers – and the usual password did not work. Again a warning light that I had found the issue. The customer had not changed the password, so the hacker had ! I was left no choice but to do a factory reset and reconfigure the modem. Now the network was all fine again. But how did they get into the modem ? The PCs didnt seem infected – so I had a guess it was the web interface of the modem. Then I found (to my major concern) that this model had the web interface turned ON by default – and to turn it OFF you had to create an ACL (access control list) to block external access to it ! No normal home user would have a hope of setting that up, and I consider that a major security issue. All modems I can remember always have web (external) access to the modem OFF by default, and you need to turn it on if you want to access the modem across the internet. Thats the safe way for it to be. So I locked down the modem and now they are secure again.So what was done ? Hackers had used (I would guess) some IP subnet sweeping software looking for port 80 open on any links. Then they would try generic name/password combos on the modems and if they got into any of them – they would then change the DNS config so all machines in the network talked to the infected DNS servers. A situation which should never have happened if manufacturers maintained a simple standard of WEB access on ADSL modems being OFF by default.
The other customer we were contacted by was the same issue – so now we knew how to address it by resetting the modem to factory and setting them up again (and locking the web/external access down). An interesting lesson in tracing the fault and how hackers work.

Recently had to replace the waste pads on a customers MP480 printer. Not an easy job – be ready to get dirty ! The actual pads are only $20-$30 to buy new, and the old ones can be accessed from the unit by taking the back cover off (which holds the paper – 2 black screws left and right then lift up). I would suggest using pliers to get the pads out – and then clean the tube so waste ink can flow out again. Thats the ‘easy’ part…

Next you need to get the printer into service mode and reset the count so that it knows you have done the job. This video gives the idea of how – http://www.youtube.com/watch?v=0waX_GF-h7U. For the MP480 its the following – Hold RESET, then press and hold POWER, then release and press RESET twice (the front light should go from Green to Orange to Green). Then release POWER. That should then boot it into Service mode and say IDLE. Now for the final part – you need to reset the Ink Absorber Counter to 0% so the printer will start working again (note you can also do this if you want to just reset the counter and keep printing – but be sure to check if the waste ink IS full rather than ignoring the issue !).

To do that yo will need the Canon Service Tool v3400, whcih allows you to talk to Canon printers in service mode and make changes – like the Ink Counter. You can download it HERE. Its simple software that talks to the printer via USB in Service mode and allows you to config all the parts – worth a look ! Then just power off and on, and the system should be good to go.

Recently a new variant of the ransomwaremalware has surfaced called CryptoLocker (or CriLock according to Microsoft). Whereas past malware would have a warning on the screen and lock you out of normal use (eg saying the AFP had your details), this new variant actually encrypts your Office/PDF/Image files with a 2048 Bit key. As of now the ONLY way to get your files un-encrypted is to pay their money within the 90 HR time limit (which is about $400US at the moment) to get the decrypt key. And people are doing it – as they have no choice if they dont have a backup (note the malware writers are actually providing the decrypt keys for people so they are running a real operation – last count I read was > $7M collected so far by them).
The malware will normally arrive via email. It comes as an attachement (usually in a zip file) that the customer then clicks on and that activates the malware on their PC. And the activity may not be immediate – since the malware will take time to locate an active Command & Control server on the internet to log the key.
This document gives a very good tech rundown of the malware – http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.So what do to ?
1. Make sure your AV is up to date – so it will block the infection when it arrives. Most AV should be automatically updating everyday. We use Kaspersky which picks up all these Malware in the tests we’ve done.
2. Make sure you have a good backup of the files that matter to you. All businesses should have this anyway – but home users need to be especially aware (imagine loosing ALL your kids photos from the last 10 years…)
3. Always look at the email you get and make sure it looks legit from someone you would expect to get a file sent to you ! An example is they come from Westpac – and people who dont even have a Westpac account click on the attachment…

There is a recent update from Microsoft which can cause issues with Kaspersky Virus protection. The system will show ‘no valid license’ in Kaspersky and it will do a scandisk on each boot (and find no errors).
This is due to the recent MS update (KB2823324) which makes changed to the ntfs driver file. The solution is to remove the update from your computer (and Microsoft have removed it from their download list) and reboot – which will allow the system to return to normal function. Windows 7 is affected, as is Server 2008. To remove a windows update use Programs and Features in the Control Panel, and choose View installed updates from the left. They are listed in date order – and this update was release 8/4/13.

Details from Kaspersky on the issue is HERE, and the Microsoft post on the update can be found HERE

Came across this issue recently – when you boot a Windows 7 PC the network shares do not work until you click on them, and then they are all fine. Some programs cant get into the folders to access the data until you activate them – which is annoying to say the least (why isnt it automatic ?).

So the fix ? Registry edit time -
In regedit navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Add a NEW DWORD called EnableLinkedConnections, and set its value to 1.

Reboot and you should find your network drives no longer are inactive on boot.